Description of problem: in F29, pam-u2f was successfully configured, after upgrade to F30 it's no longer working proper Version-Release number of selected component (if applicable): pam-u2f-1.0.7-3.fc30.x86_64 How reproducible: always Steps to Reproduce: 1. enable pam-u2f e.g. for su on F29 2. upgrade to F30 Actual results: token is not blinking anymore and button push will not help Expected results: working as with F29 Additional info: it's still working via enabled Firefox browser, so no general problem https://demo.yubico.com/webauthn-technical/ /etc/pam.d/su (extension): auth sufficient pam_u2f.so interactive cue in debug mode, following lines are shown $ su - debug(pam_u2f): pam-u2f.c:94 (parse_cfg): called. debug(pam_u2f): pam-u2f.c:95 (parse_cfg): flags 0 argc 3 debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[0]=interactive debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[1]=cue debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[2]=debug debug(pam_u2f): pam-u2f.c:99 (parse_cfg): max_devices=0 debug(pam_u2f): pam-u2f.c:100 (parse_cfg): debug=1 debug(pam_u2f): pam-u2f.c:101 (parse_cfg): interactive=1 debug(pam_u2f): pam-u2f.c:102 (parse_cfg): cue=1 debug(pam_u2f): pam-u2f.c:103 (parse_cfg): nodetect=0 debug(pam_u2f): pam-u2f.c:104 (parse_cfg): manual=0 debug(pam_u2f): pam-u2f.c:105 (parse_cfg): nouserok=0 debug(pam_u2f): pam-u2f.c:106 (parse_cfg): openasuser=0 debug(pam_u2f): pam-u2f.c:107 (parse_cfg): alwaysok=0 debug(pam_u2f): pam-u2f.c:108 (parse_cfg): authfile=(null) debug(pam_u2f): pam-u2f.c:109 (parse_cfg): authpending_file=(null) debug(pam_u2f): pam-u2f.c:110 (parse_cfg): origin=(null) debug(pam_u2f): pam-u2f.c:111 (parse_cfg): appid=(null) debug(pam_u2f): pam-u2f.c:112 (parse_cfg): prompt=(null) debug(pam_u2f): pam-u2f.c:157 (pam_sm_authenticate): Origin not specified, using "pam://***" debug(pam_u2f): pam-u2f.c:168 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://***) debug(pam_u2f): pam-u2f.c:180 (pam_sm_authenticate): Maximum devices number not set. Using default (24) debug(pam_u2f): pam-u2f.c:198 (pam_sm_authenticate): Requesting authentication for user root debug(pam_u2f): pam-u2f.c:209 (pam_sm_authenticate): Found user root debug(pam_u2f): pam-u2f.c:210 (pam_sm_authenticate): Home directory for root is /root debug(pam_u2f): pam-u2f.c:216 (pam_sm_authenticate): Variable XDG_CONFIG_HOME is not set. Using default value ($HOME/.config/) debug(pam_u2f): pam-u2f.c:245 (pam_sm_authenticate): Using default authentication file /root/.config/Yubico/u2f_keys debug(pam_u2f): util.c:102 (get_devices_from_authfile): Authorization line: root:*** debug(pam_u2f): util.c:107 (get_devices_from_authfile): Matched user: root debug(pam_u2f): util.c:134 (get_devices_from_authfile): KeyHandle for device number 1: *** debug(pam_u2f): util.c:153 (get_devices_from_authfile): publicKey for device number 1: *** debug(pam_u2f): util.c:164 (get_devices_from_authfile): Length of key number 1 is 65 debug(pam_u2f): util.c:191 (get_devices_from_authfile): Found 1 device(s) for user root debug(pam_u2f): pam-u2f.c:317 (pam_sm_authenticate): Using file '/var/run/user/1001/pam-u2f-authpending' for emitting touch request notifications Insert your U2F device, then press ENTER. USB send: 00ffffffff*** USB write returned 65 now trying with timeout 2 USB read rc read 64 USB recv: ffffffff**** device /dev/hidraw2 discovered as 'ePass FIDO' version (Interface, Major, Minor, Build): 2, 1, 0, 1 capFlags: 3 debug(pam_u2f): util.c:272 (do_authentication): Device max index is 0 debug(pam_u2f): util.c:303 (do_authentication): Attempting authentication with device number 1 debug(pam_u2f): util.c:327 (do_authentication): Challenge: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" } JSON: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" } JSON challenge URL-B64: *** client data: { "challenge": "***", "origin": "pam:\/\/***", "typ": "navigator.id.getAssertion" } JSON: { "keyHandle": "***, "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" } JSON app_id pam://*** JSON: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" } JSON keyHandle URL-B64: *** USB send: 0001*** USB write returned 65 USB send: 0001*** USB write returned 65 USB send: 0001*** USB write returned 65 now trying with timeout 2 USB read rc read 64 USB recv: 0100*** USB rc -2 debug(pam_u2f): util.c:363 (do_authentication): Device for this keyhandle is not present. USB send: 000*** USB write returned 65 now trying with timeout 2 now trying with timeout 4 now trying with timeout 8 now trying with timeout 16 now trying with timeout 32 now trying with timeout 64 now trying with timeout 128 now trying with timeout 256 USB read rc read 64 USB recv: 01000*** Device /dev/hidraw2 failed ping, dead. try to use pamu2fcfg, it also fails on F30 pamu2fcfg -d USB send: 00fff*** USB write returned 65 now trying with timeout 2 USB read rc read 64 USB recv: ffffff*** device /dev/hidraw2 discovered as 'ePass FIDO' version (Interface, Major, Minor, Build): 2, 1, 0, 1 capFlags: 3 JSON: { "challenge": "***", "version": "U2F_V2", "appId": "pam:\/\/***" } JSON challenge URL-B64: *** client data: { "challenge": "***", "origin": "pam:\/\/***", "typ": "navigator.id.finishEnrollment" } JSON: { "challenge": "***", "version": "U2F_V2", "appId": "pam:\/\/***" } JSON app_id pam://*** USB send: 0002*** USB write returned 65 USB send: 0002*** USB write returned 65 now trying with timeout 2 USB read rc read 64 USB recv: 020000*** USB rc -2 Unable to generate registration challenge, error in transport layer (-2) also it won't approve if selinux is in permissive mode
This is working for me on F30 with selinux Enforcing. Granted I have: device /dev/hidraw8 discovered as 'Yubikey NEO OTP+U2F+CCID' vs device /dev/hidraw2 discovered as 'ePass FIDO' Makes me think it is a udev rule issue. What is the mode on your /dev/hidraw device? Mine is 0660.
I observe the same failure. For me, downloading the package libu2f-host to version 1.1.6-3 will work correctly again. These are the versions that work for me: libu2f-host-1.1.6-3.fc30.x86_64 libu2f-server-1.0.1-14.fc30.x86_64 pam-u2f-1.0.7-3.fc30.x86_64 pamu2fcfg-1.0.7-3.fc30.x86_64 u2f-hidraw-policy-1.0.2-9.fc30.x86_64
More info. I have a "ePass FIDO NFC" configured as U2F+HOTP: [58085.343272] usb 1-5.3: new full-speed USB device number 13 using xhci_hcd [58085.421467] usb 1-5.3: New USB device found, idVendor=096e, idProduct=0854, bcdDevice=44.01 [58085.421471] usb 1-5.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [58085.421474] usb 1-5.3: Product: FIDO KB [58085.421477] usb 1-5.3: Manufacturer: FT [58085.430330] input: FT FIDO KB as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5.3/1-5.3:1.0/0003:096E:0854.000C/input/input24 [58085.482894] hid-generic 0003:096E:0854.000C: input,hidraw3: USB HID v1.00 Keyboard [FT FIDO KB] on usb-0000:00:14.0-5.3/input0 [58085.484020] hid-generic 0003:096E:0854.000D: hiddev96,hidraw4: USB HID v1.00 Device [FT FIDO KB] on usb-0000:00:14.0-5.3/input1 And this is my PAM setting: auth sufficient pam_u2f.so authfile=/etc/pam_u2f.conf
can confirm, downgrading to libu2f-host-1.1.6-3.fc30 from https://koji.fedoraproject.org/koji/buildinfo?buildID=1191479 works, so looks like a problem was introduced between 1.1.6 and 1.1.8
https://github.com/Yubico/pam-u2f/issues/114 suggests that this is a known problem with libu2f-host 1.1.8: "There have been a couple of releases of libu2f-host recently. Make sure you have the latest one (1.1.9) since the previous one broke compatibility with a few devices." and that upgrading to 1.1.9 would also fix it.
FEDORA-2019-bb6f6f6569 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bb6f6f6569
libu2f-host-1.1.10-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bb6f6f6569
I can confirm that libu2f-host-1.1.10-1.fc30 works with Feitian U2F keys.
libu2f-host-1.1.10-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.